Although you didn't say whether you had already set up your server, or whether this is all hypothetical, the OpenBSD project doesn't advocate a lot of knob turning. So in response, what have you set up, & how are you measuring performance? What hardware is being used? Supply dmesg(8) output.

To the best of my knowledge, VPS offerings have never been discussed here. I don't have any experience myself. However, this has been discussed on misc@ before. See http://marc.info/?t=130745549700006&r=1&w=2 for one example. RootBSD is mentioned in that particular discussion thread. You may find other discussions, just by searching.

Quote:

for a moderate vps, how many people can surf the site together?

You will have to ask this of your prospective vendors. Only they know the underlying hardware platforms and hypervisor OS and the performance of the guest platforms.

Quote:

How can I check it with ab ?

ab(1) is not part of the built-in Apache1.3. It is included as a component of the Apache2 package/port, apache-httpd. Should you choose apache-httpd, please note its install message, which I have reproduced here:

Code:

Install notice:
This is the official httpd distributed by the Apache Server Project,
provided as a port for those who, for various reasons, need to run
version 2.
OpenBSD provides a custom Apache server, httpd(8), in the base system
which has been audited for security and may run in a chroot(2)
environment. Users are STRONGLY encouraged to use the system httpd
rather than this port.

Quote:

How much RAM will I need?

That will depend upon your specific webserving requirements, which have not been described in sufficient detail.

Quote:

What PF rules is it important to use?

You will want to permit valid use of your web services, and prevent misuse or denial-of-service to them. See the "Stateful Processing" section of the PF User's Guide for tools to manage the latter, such as "overload" and "flush". In similar fashion, you will want to ensure you can manage your virtual server, so you will need to permit your own SSH access, and if you want your sshd service open to the Internet at large, you will want stateful processing to prevent misuse or bulk breakin attempts.

Any specific recommendations will require further information on your specific needs.

Barti, Ocicat wanted to point out to you that as of OpenBSD 5.1, nginx has been added to the base OS.

Quote:

You have not disclosed any information about what will be running on the server...

Well, we have some information, but only a little. We do know that it is intended to serve static web pages, but that is all. We don't know if those are from flat files or from a back end datatabase, nor do we know how many virtual webservers will be deployed. We also don't know anything about the underlying environment barti's service provider(s) deploy, or their impact on guest OSes.

Does running drupal site consume much more resources then normal static pages?

Of course. There is more work being performed.

Quote:

What about security with CMS systems?

Each usually has its own authentication/authorization scheme, which is usually unique.

Quote:

Will I loose the openbsd protection?

This is too general a question. What do you mean by "protection"? Applications that have their own authentication/authorization are outside the scope of the OS's authentication/authorization. But that does not stop applications from using OS "protection" features such as privilege separation, if they use them.

I recommend you think about application security and OS security as separate functions.

Quote:

I don't have the knowledge of running a server online with many people using it.

Then don't make any technical decisions until you have a well understood project scope and a clear set of objectives.

1. Configure a test server.
2. As specific questions about your test server arise, ask.
3. When you have an environment you understand and can manage locally, practice managing it as if it were physically remote.
4. Once you are comfortable with remote operation and management, then you may contact your VPS vendors, ask them specific questions, and choose between them.

At their best, pf(4) rules need to be written to the specifics of the network in place. You will be placing yourself into a better position if you learn how to write them yourself. The best sources of information are:

Third party guides and "how to" documents of all kinds are frowned upon by the OpenBSD Project. They are frequently out-of-date, often incorrect, if correct only applicable to a subset of user environments, and often written by justifiably proud newbies who may not understand the implications or limitations of what they have written.

In this case, you are referencing a guide that is more than 11 years old.

Here is a recent misc@ thread about another third party site which is very popular among newbies for OpenBSD "optimization" guidance. The thread begins here, and goes a very long way: